How Tracking Companies Circumvented Ad Blockers Using WebSockets - - PowerPoint PPT Presentation

How Tracking Companies Circumvented Ad Blockers Using WebSockets

Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, Christo Wilson
 


Northeastern University

Online Tracking

2

Online Tracking

Surge in online advertising (internet economy)

• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.

2

Online Tracking

Surge in online advertising (internet economy)

• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.

2

User concern over tracking

• Led to the proliferation of ad blocking extensions

Online Tracking

Surge in online advertising (internet economy)

• Ad networks pour in billions of dollars.
• Value for their investment?
• Extensive tracking to serve targeted ads.

2

User concern over tracking

• Led to the proliferation of ad blocking extensions

Ad networks fight back

• E.g Using anti ad blocking scripts

Google & Safari

• Google evaded Safari’s third-party cookie blocking policy

(Jonathan Mayer)

• … by submitting a form in an invisible iFrame
• Google was fined $22.5M by FTC

3

This Talk

How Ad Networks leveraged a bug in Chrome API to bypass Ad Blockers using WebSockets

4

This Talk

How Ad Networks leveraged a bug in Chrome API to bypass Ad Blockers using WebSockets

4

• 1. What caused this?
• 2. How this bug was leveraged by ad networks?

Web Sockets

5

Web Sockets

5

HTTP/S

Web Sockets

5

HTTP/S

request response

Web Sockets

5

HTTP/S

request response

Chatting App

Web Sockets

5

HTTP/S

request response

Chatting App

anything new?

Web Sockets

5

HTTP/S

request response

Chatting App

anything new?

Web Socket

Web Sockets

5

HTTP/S

request response

Chatting App

anything new?

Web Socket

bidirectional

• Both client and server can send/receive data
• This is a persistent connection

Web Sockets

5

HTTP/S

request response

Chatting App

anything new?

Web Socket

bidirectional ws:// or wss://

• Both client and server can send/receive data
• This is a persistent connection

Ad Blockers

6

Ad Blockers

6

• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

Ad Blockers

6

• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

webRequest API

Ad Blockers

6

• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

http://cnn.com/logo.jpeg

webRequest API

Ad Blockers

6

• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

http://cnn.com/logo.jpeg

webRequest API Rule List

Usually borrowed 
 from EasyList

Ad Blockers

6

• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

http://cnn.com/logo.jpeg

webRequest API Rule List

url

Usually borrowed 
 from EasyList

Ad Blockers

6

• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

http://cnn.com/logo.jpeg

webRequest API Rule List

url

Usually borrowed 
 from EasyList

Ad Blockers

6

• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

http://cnn.com/logo.jpeg

webRequest API Rule List

url

Usually borrowed 
 from EasyList

Ad Blockers

6

• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

http://cnn.com/logo.jpeg

webRequest API Rule List

url

webRequest API

Usually borrowed 
 from EasyList

Ad Blockers

6

• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

http://cnn.com/logo.jpeg

webRequest API Rule List

http://doubleclick.com/s1.js url

webRequest API

Usually borrowed 
 from EasyList

Ad Blockers

6

• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

http://cnn.com/logo.jpeg

webRequest API Rule List

http://doubleclick.com/s1.js url

webRequest API

url

Usually borrowed 
 from EasyList

Ad Blockers

6

• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

http://cnn.com/logo.jpeg

webRequest API Rule List

http://doubleclick.com/s1.js url

webRequest API

url

Usually borrowed 
 from EasyList

Ad Blockers

6

• Chrome extension chrome.webRequest API
• Extension can inspect / modify / drop outgoing requests

http://cnn.com/logo.jpeg

webRequest API Rule List

http://doubleclick.com/s1.js url

webRequest API

url

Usually borrowed 
 from EasyList

AdBlock Evasion

7

AdBlock Evasion

• Bug in
• ws/wss requests did not trigger the API

7

webRequest API

AdBlock Evasion

• Bug in
• ws/wss requests did not trigger the API

7

2012 2013 2014 2015 2016 2017 2018

webRequest API

AdBlock Evasion

• Bug in
• ws/wss requests did not trigger the API

7

2012 2013 2014 2015 2016 2017 2018

Original bug
 reported

webRequest API

AdBlock Evasion

• Bug in
• ws/wss requests did not trigger the API

7

2012 2013 2014 2015 2016 2017 2018

Original bug
 reported Users report 
 unblocked ads

webRequest API

AdBlock Evasion

• Bug in
• ws/wss requests did not trigger the API

7

2012 2013 2014 2015 2016 2017 2018

Original bug
 reported Users report 
 unblocked ads Patch Finalized 
 ( Landed)

webRequest API

AdBlock Evasion

• Bug in
• ws/wss requests did not trigger the API

7

2012 2013 2014 2015 2016 2017 2018

Original bug
 reported Users report 
 unblocked ads Patch Finalized 
 ( Landed) Chrome 58
 released

webRequest API

AdBlock Evasion

• Bug in
• ws/wss requests did not trigger the API

7

2012 2013 2014 2015 2016 2017 2018

* * * *

Original bug
 reported Users report 
 unblocked ads Patch Finalized 
 ( Landed) Chrome 58
 released

* Represents when our crawls were done

webRequest API

Data Crawling

8

Data Crawling

8

100K websites 
 sampled from Alexa

Data Crawling

8

100K websites 
 sampled from Alexa

Visit 15 
 links / website

Collected chains for all included resources

Data Crawling

8

100K websites 
 sampled from Alexa

Visit 15 
 links / website

Collected chains for all included resources

This means we know which resource included which other resource

Data Crawling

8

100K websites 
 sampled from Alexa

Visit 15 
 links / website

Collected chains for all included resources Filter all resources which end in 
 web sockets

Filter 
 WebSockets

This means we know which resource included which other resource

Data Crawling

8

100K websites 
 sampled from Alexa

Visit 15 
 links / website

Collected chains for all included resources Filter all resources which end in 
 web sockets

Filter 
 WebSockets Detect A&A 
 WebSockets

Mark web sockets
 which are used by A&A domains

A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs This means we know which resource included which other resource

Data Crawling

8

100K websites 
 sampled from Alexa

Visit 15 
 links / website

Collected chains for all included resources Filter all resources which end in 
 web sockets

Filter 
 WebSockets Detect A&A 
 WebSockets

Mark web sockets
 which are used by A&A domains

A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs This means we know which resource included which other resource

pub/ index.html srv.ws ads/ script.js ads/ frame.html ads/ img_a.jpg adnet/ data.ws

Example Inclusion Tree

Data Crawling

8

100K websites 
 sampled from Alexa

Visit 15 
 links / website

Collected chains for all included resources Filter all resources which end in 
 web sockets

Filter 
 WebSockets Detect A&A 
 WebSockets

Mark web sockets
 which are used by A&A domains

A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs This means we know which resource included which other resource

pub/ index.html srv.ws ads/ script.js ads/ frame.html ads/ img_a.jpg adnet/ data.ws

Example Inclusion Tree

WebSocket WebSocket

Data Crawling

8

100K websites 
 sampled from Alexa

Visit 15 
 links / website

Collected chains for all included resources Filter all resources which end in 
 web sockets

Filter 
 WebSockets Detect A&A 
 WebSockets

Mark web sockets
 which are used by A&A domains

A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs This means we know which resource included which other resource

pub/ index.html srv.ws ads/ script.js ads/ frame.html adnet/ data.ws

Example Inclusion Tree

WebSocket WebSocket

Data Crawling

8

100K websites 
 sampled from Alexa

Visit 15 
 links / website

Collected chains for all included resources Filter all resources which end in 
 web sockets

Filter 
 WebSockets Detect A&A 
 WebSockets

Mark web sockets
 which are used by A&A domains

A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs This means we know which resource included which other resource

pub/ index.html ads/ script.js ads/ frame.html adnet/ data.ws

Example Inclusion Tree

WebSocket

High-Level Numbers

9

High-Level Numbers

9

Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18 Before 
 Chrome 58

High-Level Numbers

9

Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18 Before 
 Chrome 58 After 
 Chrome 58

High-Level Numbers

9

Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18

• ~2% websites use web sockets.

Before 
 Chrome 58 After 
 Chrome 58

High-Level Numbers

9

Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18

• ~2% websites use web sockets.
• ~61 % sockets are initiated by A&A domains

Before 
 Chrome 58 After 
 Chrome 58

A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs

High-Level Numbers

9

Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18

• ~2% websites use web sockets.
• ~61 % sockets are initiated by A&A domains
• ~71 % sockets contact an A&A domain

Before 
 Chrome 58 After 
 Chrome 58

A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs

High-Level Numbers

9

Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18

• ~2% websites use web sockets.
• ~61 % sockets are initiated by A&A domains
• ~71 % sockets contact an A&A domain
• # Initiators drop after Chrome 58 release.

Before 
 Chrome 58 After 
 Chrome 58

A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs

High-Level Numbers

9

Crawl Dates %Websites 
 with sockets % Sockets
 with A&A
 Initiators % Sockets
 with A&A
 Receivers #Unique A&A
 Initiators #Unique A&A
 Receivers Apr 02-05, 2017 2.1 60.6 73.7 75 16 Apr 11-16, 2017 2.4 61.3 74.6 63 18 May 07-12, 2017 1.6 60.2 69.7 19 15 Oct 12-16, 2017 2.5 63.4 63.7 23 18

• ~2% websites use web sockets.
• ~61 % sockets are initiated by A&A domains
• ~71 % sockets contact an A&A domain
• # Initiators drop after Chrome 58 release.
• Small but persistent A&A receivers.

Before 
 Chrome 58 After 
 Chrome 58

A&A = Advertising and Analytics e.g. DoubleClick, Criteo, Adnxs

Initiators and Receivers

10

Initiators and Receivers

10

Initiator Receiver

JavaScript

Initiators and Receivers

10

Initiator Receiver ws/s

JavaScript

Initiators and Receivers

10

Initiator Receiver ws/s

JavaScript

Initiators and Receivers

10

A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3

Top A&A 
 Initiators

Initiator Receiver ws/s

JavaScript

Initiators and Receivers

10

A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3

Top A&A 
 Initiators

Initiator Receiver ws/s

JavaScript

Initiators and Receivers

10

A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4

Top A&A 
 Initiators Top A&A 
 Receivers

Initiator Receiver ws/s

JavaScript

Initiators and Receivers

10

A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4

Top A&A 
 Initiators Top A&A 
 Receivers

Initiator Receiver ws/s

• Disqus provides

comment board services.

JavaScript

Initiators and Receivers

10

A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4

Top A&A 
 Initiators Top A&A 
 Receivers

Initiator Receiver ws/s

• Disqus provides

comment board services.

• Zopim, Intercom,

Smartsupp provide live chat services.

JavaScript

Initiators and Receivers

10

A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4

Top A&A 
 Initiators Top A&A 
 Receivers

Initiator Receiver ws/s

• Disqus provides

comment board services.

• Zopim, Intercom,

Smartsupp provide live chat services.

• 33across & Lockerdome

are advertising platforms.

JavaScript

Initiators and Receivers

10

A&A Initiator #A&A
 Receivers facebook 11 google 11 doubleclick 9 youtube 8 addthis 8 hotjar 7 googlesyndication 6 twitter 5 sharethis 4 adnxs 3 A&A Receiver #A&A
 Initiators realtime 27 33across 19 intercom 16 disqus 13 zopim 12 hotjar 11 feedjit 10 lockerdome 8 inspectlet 6 smartsupp 4

Top A&A 
 Initiators Top A&A 
 Receivers

Initiator Receiver ws/s

• Disqus provides

comment board services.

• Zopim, Intercom,

Smartsupp provide live chat services.

• 33across & Lockerdome

are advertising platforms.

• Inspectlet & Hotjar are

session replay services.

JavaScript

Sent Items Over Web Sockets

11

Sent Items Over Web Sockets

11

Cookie IP User IDs Fingerprinting 
 Variables DOM

% Requests

20 40 60 80

WebSockets HTTP/S

Sent Items Over Web Sockets

11

• Stateful Identifiers like Cookie and User IDs

Cookie IP User IDs Fingerprinting 
 Variables DOM

% Requests

20 40 60 80

WebSockets HTTP/S

Sent Items Over Web Sockets

11

• Stateful Identifiers like Cookie and User IDs
• Fingerprinting data in ~3.4% WebSockets. 


97% is 33across

Cookie IP User IDs Fingerprinting 
 Variables DOM

% Requests

20 40 60 80

WebSockets HTTP/S

Sent Items Over Web Sockets

11

• Stateful Identifiers like Cookie and User IDs
• Fingerprinting data in ~3.4% WebSockets. 


97% is 33across

• ~1.6% WebSockets sends the entire DOM to 


Hotjar, LuckyOrange, TruConversion

Cookie IP User IDs Fingerprinting 
 Variables DOM

% Requests

20 40 60 80

WebSockets HTTP/S

12

Received Items Over Web Sockets

12

Received Items Over Web Sockets

HTML JSON JavaScript Images

% Responses

10 20 30 40 50

WebSockets HTTP/S

12

Received Items Over Web Sockets

HTML JSON JavaScript Images

% Responses

10 20 30 40 50

WebSockets HTTP/S

12

Received Items Over Web Sockets

HTML JSON JavaScript Images

% Responses

10 20 30 40 50

WebSockets HTTP/S

12

Received Items Over Web Sockets

Ads served from Lockerdome

HTML JSON JavaScript Images

% Responses

10 20 30 40 50

WebSockets HTTP/S

Summary

• ~67% of socket connections are initiated or received by A&A domains.
• Major companies like Google, Facebook, Addthis adopted WebSockets. 


Abandoned after Chrome 58 was released.

• The culprits:
• 33across was harvesting fingerprinting data.
• DOM exfiltration by HotJar, LuckyOrange, TruConversion
• Lockerdome downloaded URLs to serve ads.
• We need to keep up with the current practices of A&A companies.

13

Summary

• ~67% of socket connections are initiated or received by A&A domains.
• Major companies like Google, Facebook, Addthis adopted WebSockets. 


Abandoned after Chrome 58 was released.

• The culprits:
• 33across was harvesting fingerprinting data.
• DOM exfiltration by HotJar, LuckyOrange, TruConversion
• Lockerdome downloaded URLs to serve ads.
• We need to keep up with the current practices of A&A companies.

13

Questions?

ahmad@ccs.neu.edu

Backup Slides

Inclusion Chain

15

<html> <body> <script src=“tracker/script.js” </script> <img src=“tracker/img.jpg”> </img> <script src=“ads/script.js”> </script> <iframe src=“frame.html”> <html> <body> <script src=“script_12.js”> </script> <img src=“img_a.jpg”> </img> </body> </html> </iframe> </body> </html> pub/ index.html tracker/ script.js tracker/ img.jpg ads/ script.js ads/ frame.html ads/ script_12.js ads/ img_a.jpg adnet/ data.ws

Source code for ads/script_12.js
 
 let ws =
 new WebSocket(“ws://adnet/data.ws”, …);
 ws.onopen = function (e) {ws.send(“…”);}

DOM Tree Inclusion Tree